From fc12c69399cc8f6792a8191840a5263d61c37eb0 Mon Sep 17 00:00:00 2001
From: sherlock2010 <15151851377@163.com>
Date: Wed, 28 Dec 2022 02:47:51 +0000
Subject: [PATCH] fix CVE-2022-43552

(cherry picked from commit e07e319c34af05423ae01c534fb3cc5a960de3f8)
---
 ...ot-free-the-protocol-struct-in-_done.patch | 77 +++++++++++++++++++
 curl.spec                                     |  9 ++-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch

diff --git a/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch
new file mode 100644
index 0000000..116692b
--- /dev/null
+++ b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch
@@ -0,0 +1,77 @@
+From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH 2/2] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 2cfe041df..48d5a2fe0 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
+ static CURLcode smb_do(struct connectdata *conn, bool *done);
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done);
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
+ static int smb_getsock(struct connectdata *conn, curl_socket_t *socks);
+ static CURLcode smb_parse_url_path(struct connectdata *conn);
+@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
+   return CURLE_OK;
+ }
+
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(conn->data->req.protop);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
+ {
+   struct smb_conn *smbc = &conn->proto.smbc;
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 24d3f1efb..22bc81e75 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct connectdata *conn,
+
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(conn->data->req.protop);
+-
+   return CURLE_OK;
+ }
+
+--
+2.33.0
diff --git a/curl.spec b/curl.spec
index 1b98d64..f55be9e 100644
--- a/curl.spec
+++ b/curl.spec
@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.71.1
-Release:        19
+Release:        20
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -49,6 +49,7 @@ Patch135:       backport-CVE-2022-32208.patch
 Patch136:       backport-fix-configure-disable-http-auth-build-error.patch
 Patch137:       backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch
 Patch138:       backport-CVE-2022-32221.patch
+Patch139:       backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -190,6 +191,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Wed Dec 28 2022 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-20
+- Type:cves
+- CVE:CVE-2022-43552
+- SUG:NA
+- DESC:fix CVE-2022-43552
+
 * Thu Oct 27 2022 yanglu <yanglu72@h-partners.com> - 7.71.1-19
 - Type:cves
 - CVE:CVE-2022-32221